mirror of https://github.com/JohnHammond/CTFd.git
Fix missing Team API exceptions (#1058)
* Add require_team decorator to endpoints that request teams. * Change status code for captain endpoints to return 403 instead of 400selenium-screenshot-testing
parent
f033f16490
commit
b453125726
|
@ -10,7 +10,7 @@ from CTFd.utils.decorators.visibility import (
|
||||||
check_score_visibility,
|
check_score_visibility,
|
||||||
)
|
)
|
||||||
from CTFd.utils.user import get_current_team, is_admin
|
from CTFd.utils.user import get_current_team, is_admin
|
||||||
from CTFd.utils.decorators import authed_only, admins_only
|
from CTFd.utils.decorators import authed_only, admins_only, require_team
|
||||||
import copy
|
import copy
|
||||||
|
|
||||||
teams_namespace = Namespace("teams", description="Endpoint to retrieve Teams")
|
teams_namespace = Namespace("teams", description="Endpoint to retrieve Teams")
|
||||||
|
@ -110,6 +110,7 @@ class TeamPublic(Resource):
|
||||||
@teams_namespace.param("team_id", "Current Team")
|
@teams_namespace.param("team_id", "Current Team")
|
||||||
class TeamPrivate(Resource):
|
class TeamPrivate(Resource):
|
||||||
@authed_only
|
@authed_only
|
||||||
|
@require_team
|
||||||
def get(self):
|
def get(self):
|
||||||
team = get_current_team()
|
team = get_current_team()
|
||||||
response = TeamSchema(view="self").dump(team)
|
response = TeamSchema(view="self").dump(team)
|
||||||
|
@ -120,6 +121,7 @@ class TeamPrivate(Resource):
|
||||||
return {"success": True, "data": response.data}
|
return {"success": True, "data": response.data}
|
||||||
|
|
||||||
@authed_only
|
@authed_only
|
||||||
|
@require_team
|
||||||
def patch(self):
|
def patch(self):
|
||||||
team = get_current_team()
|
team = get_current_team()
|
||||||
if team.captain_id != session["id"]:
|
if team.captain_id != session["id"]:
|
||||||
|
@ -128,7 +130,7 @@ class TeamPrivate(Resource):
|
||||||
"success": False,
|
"success": False,
|
||||||
"errors": {"": ["Only team captains can edit team information"]},
|
"errors": {"": ["Only team captains can edit team information"]},
|
||||||
},
|
},
|
||||||
400,
|
403,
|
||||||
)
|
)
|
||||||
|
|
||||||
data = request.get_json()
|
data = request.get_json()
|
||||||
|
@ -226,6 +228,7 @@ class TeamMembers(Resource):
|
||||||
@teams_namespace.route("/me/solves")
|
@teams_namespace.route("/me/solves")
|
||||||
class TeamPrivateSolves(Resource):
|
class TeamPrivateSolves(Resource):
|
||||||
@authed_only
|
@authed_only
|
||||||
|
@require_team
|
||||||
def get(self):
|
def get(self):
|
||||||
team = get_current_team()
|
team = get_current_team()
|
||||||
solves = team.get_solves(admin=True)
|
solves = team.get_solves(admin=True)
|
||||||
|
@ -243,6 +246,7 @@ class TeamPrivateSolves(Resource):
|
||||||
@teams_namespace.route("/me/fails")
|
@teams_namespace.route("/me/fails")
|
||||||
class TeamPrivateFails(Resource):
|
class TeamPrivateFails(Resource):
|
||||||
@authed_only
|
@authed_only
|
||||||
|
@require_team
|
||||||
def get(self):
|
def get(self):
|
||||||
team = get_current_team()
|
team = get_current_team()
|
||||||
fails = team.get_fails(admin=True)
|
fails = team.get_fails(admin=True)
|
||||||
|
@ -267,6 +271,7 @@ class TeamPrivateFails(Resource):
|
||||||
@teams_namespace.route("/me/awards")
|
@teams_namespace.route("/me/awards")
|
||||||
class TeamPrivateAwards(Resource):
|
class TeamPrivateAwards(Resource):
|
||||||
@authed_only
|
@authed_only
|
||||||
|
@require_team
|
||||||
def get(self):
|
def get(self):
|
||||||
team = get_current_team()
|
team = get_current_team()
|
||||||
awards = team.get_awards(admin=True)
|
awards = team.get_awards(admin=True)
|
||||||
|
|
|
@ -118,6 +118,9 @@ def require_team(f):
|
||||||
if get_config("user_mode") == TEAMS_MODE:
|
if get_config("user_mode") == TEAMS_MODE:
|
||||||
team = get_current_team()
|
team = get_current_team()
|
||||||
if team is None:
|
if team is None:
|
||||||
|
if request.content_type == "application/json":
|
||||||
|
abort(403)
|
||||||
|
else:
|
||||||
return redirect(url_for("teams.private", next=request.full_path))
|
return redirect(url_for("teams.private", next=request.full_path))
|
||||||
return f(*args, **kwargs)
|
return f(*args, **kwargs)
|
||||||
|
|
||||||
|
|
|
@ -106,7 +106,7 @@ def test_api_users_can_change_captain_on_self_team():
|
||||||
# I am not the captain
|
# I am not the captain
|
||||||
with login_as_user(app, name="user2") as client:
|
with login_as_user(app, name="user2") as client:
|
||||||
r = client.patch("/api/v1/teams/me", json={"captain_id": 3})
|
r = client.patch("/api/v1/teams/me", json={"captain_id": 3})
|
||||||
assert r.status_code == 400
|
assert r.status_code == 403
|
||||||
|
|
||||||
# Look at me, I'm the captain now
|
# Look at me, I'm the captain now
|
||||||
with login_as_user(app, name="user1") as client:
|
with login_as_user(app, name="user1") as client:
|
||||||
|
|
|
@ -339,7 +339,7 @@ def test_api_team_patch_me_logged_in_user():
|
||||||
r = client.patch(
|
r = client.patch(
|
||||||
"/api/v1/teams/me", json={"name": "team_name", "affiliation": "changed"}
|
"/api/v1/teams/me", json={"name": "team_name", "affiliation": "changed"}
|
||||||
)
|
)
|
||||||
assert r.status_code == 400
|
assert r.status_code == 403
|
||||||
destroy_ctfd(app)
|
destroy_ctfd(app)
|
||||||
|
|
||||||
|
|
||||||
|
@ -640,7 +640,7 @@ def test_api_team_patch_password():
|
||||||
"/api/v1/teams/me",
|
"/api/v1/teams/me",
|
||||||
json={"confirm": "password", "password": "new_password"},
|
json={"confirm": "password", "password": "new_password"},
|
||||||
)
|
)
|
||||||
assert r.status_code == 400
|
assert r.status_code == 403
|
||||||
|
|
||||||
assert r.get_json() == {
|
assert r.get_json() == {
|
||||||
"errors": {"": ["Only team captains can edit team information"]},
|
"errors": {"": ["Only team captains can edit team information"]},
|
||||||
|
|
Loading…
Reference in New Issue